ISP Gets Tough With 'Zombie' Customers

Broadband provider Comcast is taking a tough new approach to targeting "spam zombies" -- those virus-infected, unwitting spam-sending computers among its broadband base.

The ISP is telling customers to get virus-scanning and firewall software loaded or risk losing their high-speed connection until the problem of virus infections on their computer is fixed.

In recent weeks, the cable broadband giant has been alerting surprised customers to the problem with letters and notices warning them that they'll be disconnected if steps aren't taken to tighten security.

"We have confirmed that your machine has been involved in transmitting unsolicited e-mail, an activity that is in violation
of the Comcast Terms of Service Agreement," the Comcast message reads.

Possible causes for unauthorized mass e-mailing include insecure servers or misconfigured wireless access spots. But the most likely culprit is a Trojan or malicious file with a built in SMTP engine that has penetrated an open port in a user's computer, such as a zombie that is then used to launch DoS attacks on other servers or help relay spam.

Chris Belthoff, a senior security analyst at Sophos, said zombie machines are a drain on an ISPs' bandwidth and storage budgets. There are also hidden call center costs as customer service representatives have to devote time to documenting spam complaints.

"The problem Comcast is trying to solve is a very serious one," said
Belthoff, whose research has found that about 30 percent of spam comes from consumer-based PCs.

A Scandinavian ISP, TeliaSonara, engaged in a similar crackdown last year.
It's not without risk. Online discussion groups include posts from Comcast customers who claim their service was disconnected without warning.

But Belthoff said most notices sent to customers include instructions on downloading antivirus and firewall software.

Despite blacklists, e-mail filters and legislative efforts like the Can Spam
Act, there's been no slowing spam. Several analysts say the convergence of
spammers and virus writers is the cause.

As spammers grow more sophisticated in using compromised machines to do their work, vendors are trying new approaches to counter the problem.

Microsoft, for example, is working on rolling out new PC monitoring capabilities in its next version of Windows -- called Longhorn, that will adjust a computer's firewall or PC settings automatically (if necessary) in order to block specific attack vectors without having the patch installed. As reported by internetnews.com, the operating system will then issue security warnings to the user and proactively block open ports or adjust registry settings to plug security holes.

Another company, Symbiot, is about to release a new product that not only analyzes network patterns, but helps manage attacks by essentially hitting back, which has caused a stir in the security community.

Previously, hackers wrote malicious code to make a name for themselves. But
now, virus writers are in cahoots with spammers.
Thanks to the alliance between spammers and virus writers, an increasing number of worms with backdoor Trojans have the ability to set up open
proxies. Once in place, the spammers can control of the infected machines
and use them to send out wave after wave of spam.

Antivirus experts estimate that the recent MyDoom-A worm compromised 500,000
to 1 million computers -- all with open
proxies. And they expect that army of zombie machines will be put to use in
the spam community, much as anti-spam experts
believe computers infected with the Sobig virus were.

For end users, the best advice is to keep antivirus and personal firewall programs updated, Belthoff said.

And from Comcast's point of view, setting up a personal firewall is increasingly becoming a customer requirement for getting online.